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We equip choreography-level session descriptions with a simple abstraction of a security infrastruc- 
ture. Message components may be enclosed within (possibly nested) "boxes" annotated with the 
intended source and destination of those components. The boxes are to be implemented with cryp- 
tography. 

Strand spaces provide a semantics for these choreographies, in which some roles may be played 
by compromised principals. A skeleton is a partially ordered structure containing local behaviors 
(strands) executed by regular (non-compromised) principals. A skeleton is realized if it contains 
enough regular strands so that it could actually occur, in combination with any possible activity 
of compromised principals. It is delivery guaranteed (DG) realized if, in addition, every message 
transmitted to a regular participant is also delivered. 

We define a novel transition system on skeletons, in which the steps add regular strands. These 
steps solve tests, i.e. parts of the skeleton that could not occur without additional regular behavior. 

We prove three main results about the transition system. First, each minimal DG realized skeleton 
is reachable, using the transition system, from any skeleton it embeds. Second, if no step is possible 
from a skeleton A, then A is DG realized. Finally, if a DG realized A' is accessible from A, then A' 
is minimal. Thus, the transition system provides a systematic way to construct the possible behaviors 
of the choreography, in the presence of compromised principals. 

1 Introduction 

Distributed transactions are increasingly central to our economic and social infrastructure. Rigorous, 
type-based notions of session are thus subjects of intense exploration, as they can ensure that commu- 
nications among principals are properly coordinated [14, 11, 12, 2, 13]. However, sessions require a 
security infrastructure, since the data they carry may be sensitive, and a transaction may (for instance) 
transfer money from one person to another. Standard security infrastructures, such as TLS [7] for web 
interactions, are two-party, point-to-point mechanisms. When a transaction involves more than two 
parties — for instance, a buyer, a seller, and a bank — then it is hard to see how to use TLS sessions to 
ensure that the parties get any security guarantees. 

An alternative — given a session choreography — is to synthesize a security infrastructure that is ap- 
propriate to the goals of that session [5, 6]. This infrastructure is effectively a custom cryptographic 
protocol generated specifically to ensure that malicious principals cannot undermine the behavior that 
the advertised session choreography promises to compliant principals. Generating this protocol, and en- 
suring its correctness, requires reasoning at several levels, including both the choreography level and the 
cryptographic level. 

*The first author is partially funded by the CosmoBiz project. The second author is partially funded by the National Science 
Foundation, (grant no. CNS-0952287). 
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In this paper we study reasoning specifically at the choreography level, without introducing the com- 
plexities of realistic cryptography. These complexities include selection of public-key and symmetric 
cryptographic primitives, as well as key distribution. Another recent paper which treats protocols by an 
abstraction of their cryptographic mechanisms is [1]. 

We use a simple choreography-level specification for security of parts of messages, which we call 
boxes. A box [M] PlP2 represents the fact that message M will be sent in some format x such that, if pi 
and P2 are uncompromised roles, then x was prepared only by pi and can be opened only by P2. Boxes 
may appear nested inside other boxes. Naturally, any implementation of boxes will require cryptography. 
We might implement boxes by message structures in which pi , P2 first agree on a shared secret, and then 
use it to encrypt and provide message authentication for M (and other messages as determined by the 
choreography). The first step of agreeing on a shared secret may rely on public-key cryptography. Boxes 
are a mechanism to specify when a message component achieves secrecy and integrity between two 
uncompromised principals, despite other compromised principals behaving unpredictably or maliciously. 

In this paper, we will develop a method to define the possible behaviors of a choreography as a 
function of a choice of compromised roles R. That is, given an assumption that principals not in R will 
behave in accordance with their roles in the choreography, we would like to define all possible behaviors 
a choreography execution can exhibit. To do so, we translate each choreography description into a set of 
strands. Each of these strands represents a possible local behavior of one principal in a single session, 
running a role of the choreography. These regular, non-compromised strands may interact with each 
other and with any behavior within the power of the adversary, to produce a variety of global executions. 
We give a method for generating all of these global executions, or more precisely, for finding the minimal, 
essentially different executions. 

We call these minimal, essentially different executions shapes. Each shape is a shape relative to some 
starting point, typically some assumed local strand representing a behavior of a single participant. The 
shapes describe the possible explanations for the experience of this participant, i.e. what other local exe- 
cutions (strands) of regular participants would be needed in possible runs, in combination with adversary 
actions. They are minimal in that no lesser amount of regular behavior would yield a full explanation of 
regular activity in the starting point. 

We generate shapes via a transition system defined by two rules. One rule says that additional strands 
must be added when a participant receives a box that the adversary could not create, and which is not yet 
explained by an earlier transmission from an uncompromised strand. It also applies to situations where 
a box has been removed from nested boxes, and only regular strands can extract it. 

The other rule corresponds to the usual choreography assumption on the communication medium. 
This assumption is that the medium is resilient, i.e. that when an uncompromised participant sends a 
message to another uncompromised participant, then that message will be delivered. Since we work in 
a partially ordered execution model, there is no assumption about when this message will be delivered, 
relative to causally unrelated actions. We present three main results. 

1. In the transition system defined by our two rules, and relative to a chosen assumption R about 
compromised roles, if A' is any shape compatible with a starting point A, then A — >* A'. The 
same holds for shapes with guaranteed delivery. (Thm. 1 .) 

2. When we start from a single strand A, then any maximal trace A — >* s A' -f* terminates with a 
shape A' with delivery guaranteed. (Thm. 2.) 

3. Every trace starting from a single strand terminates. (Thm. 3.) 

In particular, the first point holds for all strand spaces based on boxes, while the second and third are 
specific to strand spaces defined as the semantics of choreographies in a particular syntax. 
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2 Abstract Strand Spaces 
2.1 Basic Definitions 

Definition 1 (Messages and Boxes). Messages M and boxes b are defined: 

W ::= v\b M ::= W b ::= [M] PlP2 

where ~ denotes a tuple of zero or more elements, v is a basic value — belonging to a finite set of basic 
values — and Pi ranges over the set of roles 2%. 

A message M can either be a value v or a box [M] PlP2 . We also use letter c to denote boxes. A box is a 
tuple of messages M,- from pi that can only be opened by P2. 

A strand space, first introduced in [15] as a formalism for reasoning about cryptographic protocols, is 
a collection of strands. Here, we introduce abstract strand spaces, strand spaces where messages range 
over M (unlike the original version with cryptography). A substitution is a function that maps basic 
values to basic values. Since basic values form a finite set, there are only finitely many substitutions. 

Definition 2 (Abstract Strand Space). A directed term is a pair denoted by ±M where ± € {— ,+} is a 
direction with + representing transmission and — reception. A trace is an element of (±Af)*, the set of 
finite sequences of directed terms. 

An abstract strand space is a set S with a trace mapping tr : S — ► (±M)*. A strand is an element ofS. 
A strand space S is closed under a set of substitutions E, if for every s G S and O G £, there is an s' G S 
such that tr(s') = a(tr(s')). 

In this paper we consider finite strand spaces that are closed under substitutions of basic values for 
basic values. 

Notation. If s G S is a strand then s(i) denotes the i element of the trace of s and is called node. We 
write m^n when n is the node immediately after m on the same strand s i.e. m = s(i) and n = s(i+ 1). 
Also, msg(n) denotes the message of the directed term in n while neg(ra) (pos(n)) holds if n is a reception 
(transmission) node. 

It is now interesting to see how these input/output traces could be combined together in order to form a 
real execution. Skeletons express parts of an execution (with some pending transmission/reception nodes 
related to adversary activity): 

Definition 3 (Skeleton). Given a strand space S, a skeleton A is a finite set of regular nodes ( nodes be- 
longing to strands ofS), denoted by nodes(A), equipped with a partial order on nodes(A) indicating 
causal precedence (consistent with =>). Moreover, ifm =>- n and n G nodes(A), then m G nodes(A). 

In the rest of the paper, -< will denote the non-reflexive subrelation of 

Example 1. As an example, let us consider a skeleton composed by three strands. Below, outgoing and 
incoming edges denote transmission and reception nodes respectively. 



[M] 



PiP3 



-< 



[M] 



PlP3 



»2 

H [M',[M] PlP3 ]p 2P3 

« 3 ► 



-< 



[M',[M] 



P1P3JP2P3 



«4 



(1) 
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The three strands above belong to roles p\, p 2 and P3 respectively. If the middle strand was not there e.g. 
if P2 were compromised, then we would have the following skeleton: 




As previously said, some roles may belong to compromised principals. In the sequel, we set R C 3% 
to be the set of compromised roles. Moreover, we assume that each strand is always marked with the role 
it belongs to (a strand belongs to exactly one role). On this premises, it is natural to define the untamed 
behaviour of R (or adversary) in terms of penetrator strands: 

Definition 4 (Abstract Penetrator). 3?r, the abstract penetrator for a set of compromised roles R, is the 
set of strands of the forms: 

(C) -Mo=>-(Mu...,M k )=>+(Mo,Mu...,M k ) (A) +v 

(S) -(M ,Mi,. . . ,Mk) => +M +(M b . . . ,M k ) 

(B) —M +[M] PlP2 where p\ G R 

(O) - [M] PlP2 +M where p 2 G R 

Above, (C) allows the penetrator to compose received messages and resend them; in (S), a compound 
message can be separated and resent; (B) allows to box messages and sign them with a compromised 
role (from R); with (O), the penetrator can open boxes targeted to compromised roles; and using (A), the 
penetrator can send any clear text. 

We can compose (instances of) the various strands above with a skeleton in order to build the graph of 
interaction of a skeleton A with respect to a penetrator 3?r i.e. an acyclic directed graph 3% whose nodes 
are the nodes of strands in 3?r and A, and whose edges can be obtained by connecting any transmitting 
node m with a receiving node n such that msg(m) = msg(n). We say of two nodes mo,m k of 33 that 
mo dim tnk if there is a sequence mo, mi,. . . ,m k such that for each pair m;,m;+i, either m,- wij+i, or 
m, mj+i on a penetrator strand of 3?r, or m; is a transmission node and m i+ i is a receiving node 
connected to it. 

We now define a realized skeleton i.e. a skeleton that has precisely the behavior of some execution: 

Definition 5 (Realized Skeleton). A skeleton A is realized if there is a graph of interaction 39 of k wrt 
3?r such that every reception node has an incoming edge, and for all nodes m,n G nodes(A), m <ag n 
implies m <^ n. 

A shape is a minimal homomorphism preserving < that maps a skeleton into a realized one. Below, 
a homomorphism H : Ao Ai is node-wise injective if it is an injective function on the nodes of Ao. 
Moreover, Ho is node- wise less than or equal to H\, written Hq<H\, if for some node-wise injective 
L, L o Ho = Hi . We then say that Ho is node-wise minimal in some set Z whenever Ho G Z and for any 
H G Z, H < Ho implies H and Ho are isomorphic. 

Definition 6 (Shape [8]). H : Ao i— ► A' is a shape for Ao if H is node-wise minimal among the set of 
homomorphisms H' : Ao ^ A" where A" is realized. 

Sometimes, with an abuse of terminology, if H : A i— ► A' is a shape for A, we shall say that A' is a shape 
for A. For instance, the skeleton in (1) is a shape for ni =>■ n&. On the other hand, because of the extra 
node «4, the following realized skeleton is not a shape for ni ^n^. 



M. Carbone & J. Guttman 



5 



P2P3 

tl\ *- 15 " »2 "* «4 

II II (2) 

P3P1 

«6 15 - »3 

We also consider special skeletons which guarantee that messages are delivered. 

Definition 7 (Delivery-Guaranteed Skeletons). A delivery-guaranteed skeleton (DG skeleton) is a skele- 
ton such that for every positive node n such msg(n) = [M] Pl p 2 and P2 R there exists a negative node n' 
on another strand such that msg(n) = msg(n)'. 

Note that (2) is not DG while (1) is. Delivery-guaranteed skeletons characterize some special shapes: 

Definition 8 (Delivery-Guaranteed Shape). H : Ao 1— > A' is a DG shape for Ao ifH is node-wise minimal 
among the set of homomorphisms H' : Aq 1— > A" where A" is a realized and DG skeleton. 



2.2 Characterizing Realized Skeletons 

In this subsection, we will introduce a characterization of realized skeletons in the spirit of [9]. The idea 
is to use authentication tests [8] as a method for explaining why a message is suddenly found outside 
a box which was previously containing it. In general, either the box owner is compromised or else it 
was transmitted by a regular strand. The following definition formalizes the idea of a message occurring 
inside or outside a set of boxes. 

Definition 9. A message Mq is found only within a set of boxes B in M\, written Mo s Mi, whenever 
every occurrence of Mo in Mi is nested inside a box ofB. 

A message Mq is found outside B in M\, written Mo f B Mi, whenever not Mo ® B M\. 

As an example, for M / "HP, M is found only within { [M] PlP2 , [[M, "H i"] P3Pi , "Hi"] P3P4 } in [[M] Pl p 2 ]p 2 p 3 
and [[[(M,"Hr)]p 3 p 1 ,"HF]p 3 p4\p4 Pl . Also, M is found only within {["#z"]p 3Pl } in [['W']pip2]p 3 pi as it 
does not occur at all. On the contrary, M is found outside {["Hr'] PlP2 } in [M, ["^'"]p 1 p 2 ]p3p 4 - 

Given a skeleton, a set of boxes and a message, we can highlight those minimal nodes for which such 
a message is found only outside the boxes. This is formalized by the notion of cut: 

Definition 10 (Cut). Let M be a message, B a set of boxes and A a skeleton. Then, 

Cut(M,B,A) = {n G nodes(A) :3m<^n andM\ B msg(m)} 

Cut(M, B, A) is defined whenever there exists a node n in A such that M f B msg(n). 

Note that M occurs outside B in all minimal nodes of Cut(M,B,A). In the following skeleton A, 



M 



p\pi\p\pi 



[[M] 



P1P3JP1P2 



«2 
II 

«3 



[M',[M] 



P1P3JP2P3 



-< 



[M',[M] 



P1P3JP2P3 



«4 



(3) 
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Cut([M]pjp 3 ,B,A) is the set {723,714,725,726} with minimal nodes {723,726} for B = {[[^p^Jp^} and the 
whole skeleton A for B = (assuming that {«i} G pi, {722,723,726} £ P2 and {724,725} G P3 and no role is 
in R). Also, Cut([M]p lP3 ,S,A) = {n^} for S = {[[A/] pi p 3 ]p 3 p 2 } but empty if P2 were compromised. In the 
subskeleton A' composed by nodes n\ and 722 we have Cut([M] PlP3 , {[[M]p lP3 ] Pl p 2 }, A') = 0. 

The idea behind authentication tests is that any minimal node in a cut needs to be explained in the 
skeleton. In other words, there must be an earlier sequence of events that extracted the message out of 
some box or legally created it. Formally, 

Definition 11 (Solved Cut). A cut Cut(M,B,A) is solved wrt a set of compromised roles R, if for any of 

its -<&-minimal nodes m\: 

1. either m\ is a transmission node; 

2. orM= [M] PlP2 and pi G R, or for some [M] PlPl G B, p 2 G R. 

The definition above says that a cut Cut(M, B, A) is solved whenever, for every minimal reception node n, 
M is outside B in n because of some penetrator activity. For instance, in (3), Cut([M] PlP3 ,B, A) = {n^\ is 
not solved for B = {[[M] Pl p 3 ] P3P2 , [[M] pi p 3 ]p lP2 , [M, [M] PlP3 } P2Pi } and/? = while it is solved if R = {p 2 }. 
The above definition turns to be a crucial property of realized skeletons. In fact, the following proposition 
states that the property of being realized is characterized by all if its cuts being solved. 

Proposition 1. Let Abe a skeleton. Then, every cut in A is solved if and only if A is realized. 
Proof. =^: 

We prove this by contradiction. Assume that A is not realized. Then, by definition, there must be an 
input node n containing a message that a penetrator 0Pr is not allowed to send i.e. there is some node n 
such that, for all m n, either (i) pi G" R, [M] PlP2 is nested in msg(«) and does not occur in msg(m); 
or (ii) for some message M and p 2 G" R, we have that M f^W) msg(«) and M ©{Mpi^} msg(m). 
If (i) holds, then Cut([M] PlP2 ,0, A) is clearly unsolved. Similarly, if (ii) then Cut(M, {[M] PlP2 }, A) is 
unsolved. 

<=: Assume that there is a cut Cut(M,S, A) which is not solved. That means, that there is a minimal 
input node where M is only found inside B and such that M / [M] PlP2 for pi G R, and for no [M] PlP2 G B, 
p 2 G R. But then, there is no penetrator activity which could derive M hence A would not be realized. □ 

We conclude this section observing that an unsolved cut implies the existence of another unsolved 
cut whose boxes B are messages appearing in the current skeleton. In the sequel, let the relation M C M' 
hold whenever M is contained in M' (C is the reflexive closure). 

Proposition 2. Let A be a skeleton and Cut([M]p lP2 ,B,A) an unsolved cut. Then, Cut([M] PlP2 ,B' , A) 
is also unsolved for B' = {b\ n' -<a n s.t. [M] PlPl C b C msg{n') A rcv(b) G" R } for some <^-minimal 
input node n in Cut([M] Pl , Pl ,B, A) and pi R. 

Proof. Let c = [M] PlPl . From Definition 11, there exists a ^A-minimal input node n in Cut(c,B,A), 
such that pi G" R and p^^R for all [M] P3P4 G B. Let us now consider the predecessors n' of n in A which, 
by definition of cut, are such that cQ B msg(ra'). We consider two cases: (i) if none of ti's predecessors 
contains c then B' = and therefore Cut(c, 0, A) is unsolved as n is a minimal node such that c f msg(«') ; 
(ii) n\...nk are «'s predecessors such that c C msg(« 1 ). Letting 

Bi = {b I c C b C msg(« ; ) and rec(^) G" R}, 

Bi C B, because n is a minimal node in Cut(c,B,A). Thus, as c©U> B * msg(«,), n is also minimal in 
Cutters,-, A). Finally, as B' = U;#/> we can conclude that Cut(c,B', A) is also unsolved. □ 
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3 Searching for Shapes 

The results on cuts suggest a possible way of adding nodes to a skeleton so that it can become realized. 
We shall now address this problem and introduce a constructive method for deriving realized skeletons 
from non-realized ones. In the sequel, the operation A U ] m with m -<n, returns the skeleton A' consist- 
ing of A and the nodes {m' | m' =4>* m A m' G nodes(5')}, with the ordering strengthened so that m n. 
Similarly, A U \ m with n -< m is the corresponding A' with the opposite order enrichment n m. 

Definition 12 (Reduction Rules). The relation between skeletons A — >s A', is the minimum relation 
satisfying the following rules: 



(Al) 



(A2) 



n G A A neg(«) c = [M] PlPl c f B msg(n) 

m G S\A A pos(m) Pi ^R c f B msg(m) 

VW .m' -<a«V m' m implies cQ B msg(m') 
A — >s A U | m with m -< « 

n £ A A pos(«) ™ Sg ^ = ^ plp2 ^ 3m ' £ neg ^- n ^ m ' A msg(m') = msg(n)) 
Pi^R m £ (S) A neg(m) A msg(m) = msg(n) 

A — >$ A U | m with n -< m 



w/iere f/ie 5ef of strands S (strand space domain) is the set of regular strands. Observe in rule (Al) that 
if there is any B that satisfies the premise, then 

B = {b\n -< A « s.t. [M] Pl p 2 \ZbQ msg(n) A rcv(b) ^R} 

We briefly comment the rules above. The first rule adds, when possible, nodes that explain why a 
message is found outside a box. Given a box c, the set of boxes B and a node n which is minimal in 
Cut(c,B, A), we choose m to be the minimal node preceding n such that c is found outside B. Note that 
m may already be in the skeleton (added together with some m' such that m m') and the rule still be 
applicable because ■< needs to be updated. The second rule deals with adding a recipient, if any is found, 
to an output node. 

Proposition 3. If A — A' then A is not realized or A is not DG. 

Proof. If the reduction A — A' is obtained by applying rule (Al), then the cut Cut([M] PlP2 ,B, A) is 
clearly not solved. On the other hand, if A — >$ A' by (A2), then we are clearly adding an input node 
to a pending output. □ 

In the sequel, we say that a homomorphism H : A A' is an augmentation whenever H is an inclu- 
sion (identity on the domain A), any node in A'\A belongs to the same strand and ^a' is an extension of 
^A- Directly from the rules, it follows that: 

Proposition 4. Let H map A to A' such that A — A'. Then H is an augmentation. 

Building on the above proposition, we say that H is of type 1 (type 2) if it corresponds to the appli- 
cation of a rule 1 (rule 2). 

In the sequel A — >* s A' holds whenever there exists a finite sequence Ai — >s ■ ■ • — >s &k sucn 
that A = Ai and A' = A k . Moreover, A whenever there is no A' such that A — >$ A'. The following 
result states that we can always reach all the shapes by repeatedly applying the rules. 
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Theorem 1 (Completeness). 

1. Let A be a single-strand skeleton and H a shape such that A ^ A'. Then A — >* s A' (up-to 
isomorphism). 

2. Let Abe a single-strand skeleton and H a DG shape such that A ^ A'. Then A — >* s A' ( up-to 
isomorphism). 

Proof. From Proposition 4, we only have to prove that shapes can be expressed as the composition of 
augmentations of type 1 or 2 (type 2 is only considered when proving point 2). Formally, we show 
that there exist a k such that for every i G {0, 1 . . . , k} we have H = L,- o Hi o . . . o Hi o Hq where L,- is a 
node- wise injective homomorphism, Hq the identity mapping and Hi,..., Hi augmentations. 

The first step is to show how we can find k and inductively construct each //, and L, starting from the 
identity: 

• Base Case. As Hq must be the identity, we chose Lq = H noting that H is node-wise injective by 
definition of shape. We then have that H = Lq o Hq. 

• Inductive Case. Let H = L, o Hj o . . . o H\ o Hq such that Hq is the identity and Hi,..., Hi are 
augmentations. If L,- is an isomorphism then i = k and we can stop. In fact, by definition of shape, 
H is the minimum realized skeleton hence the image of Hj ;o . . . oH\ oHq is isomorphic to A', image 
ofH. 

Let Li be not an isomorphism. Moreover, let L,- : Aj h-> A' and Hj o . . . o H\ oHq : A t— ► Aj for some 
Ay. We show how to construct Hi + \ and L !+ i. By definition of shape, as L,- is not an isomorphism, 
Aj is not realized. If that is the case, then either there is a dangling output (this is to be considered 
only when proving point 2) or, by Proposition 1, there exists an unsolved cut Cut([M] PlP2 ,B,Aj) 
i.e., by definition of cut, there exists an input node m\, ^A^-minimal in Cut([M] p i p 2,B, A'), such 
that Pi^lR and for all [M] P3P4 6 B, p\ R. Now, as A' is realized, all cuts must be solved. Then, 
because L ( - is node-wise injective, we can choose a node in the pre-image of L, which is not in 
A,- but solves Cut([M] PlP2 ,B,Aj) (or add the corresponding input when proving point 2). Adding 
this node, precisely corresponds to an augmentation induced by rule (Al) (or (A2)) which will be 
our Hj + i. We can then choose L, + i to be equal to L, but also mapping the new added node to A' 
accordingly. 

The above procedure shows how to construct the various //, and L ; . In order to complete the proof, we 
need to show that we always find the k. But this follows by the fact that augmentations always increase 
the size of a skeleton and observing that we stop once we reach an isomorphism. □ 

Example 2. Let S = {j,-}/=i,...,5, S\,S2 € Pi, s^,S4 € P2, S5 G P3 and such that: 

Si = +[[secret] Pl p 3 ]p lP2 -[reject] P2Pl 

s 2 = +[[secret] PlP3 ] PlP2 => -[[newsecret] P3Pl ] P2Pl 

s 3 = - [[secret] PlP3 ] PlP2 +[reject] P2Pl 

s 4 = - [[secret] PlP3 ] PlP2 => +[[secret] PlP3 ] P2P3 => -[[newsecret] P3Pl ] P3P2 => +[[newsecret] P3Pl ] P2Pl 

.55 = - [[secret] PlP3 ] P2P3 +[[newsecret] P3Pl ] P3P2 

If, for instance, P2 G R and we start from 55, we can then apply (Al) for B = 0, M = [secret] PlP3 and m 
being the first node of the strands s\/s2. We obtain the following skeleton: 
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m [[secret] Pl p3]p lP2 > ^ 



[[secret 



P1P3JP2P3 



[[newsecret] P3Pl ]p3p 2 4 



(4) 



which is a shape for 55. If we start from S2, we can then apply (Al) for B = 0, M = [secret] PlP3 and 
m being the second node of 55. We then have: 



[[secret 



P1P3JP1P2 



[[secret] 



P1P3JP2P3 



V [[newsecret]p 3 p 1 ]p 2 p 1 [[newsecret]p 3 p 1 ]p 3 p 2 

Above we have actually applied (Al) twice, where the second application just added the top Note 
that (4) differs from the above because the latter has more information about S2 but they are both realized 
(and DG). 

The set of boxes B is not always empty. For instance, for b = [secret] PlP3 , with strands 

4 = +[b] PlP2 => -[b} P2Pl 

A = - [b] PlP2 +[b] P2P3 => -[b]p 3P2 => +[b] P2Pl 



■lb] 



P2P3 



+[b] 



P1P2 



and applying ( A 1 ) to s' 2 with R = 0, we get the following skeleton for M = b and B = { [b] Pl P2 } : 

[b] P[p2 [b]p 2p3 



Jb] p2pl ^ Jfr]p 3 p 2 



4 A Protocol Description Calculus 

We illustrate our ideas with the simplest possible calculus. The syntax of this minimal choreography 
language (based on the Global Calculus [4]) is given by the following grammar: 



C ::= E/pi -»p 2 :op i (M i ).C/ 
I 



(interaction) 
(inactive) 



Above, the term E,pi — > P2 : op;(M;}. C,- describes an interaction where a branch with label op ; is 
non-deterministically selected and a message M,- is sent from role pi to role P2. Each two roles in a 
choreography share a private channel hence it would be redundant to have them explicit in the syntax 
[2]. Term denotes the inactive system. Given a choreography C, we assume that the various op, also 
on different interactions, are distinct: given the lack of an iteration operator e.g. recursion, this is a 
constraint that can be imposed statically and we include in the well-formedness condition at the end of 
this section. 

Our mini-language can be equipped with a standard trace semantics with configurations C 
C' where jj, = (pi,p2,op,-,M ; ) contains the parameters of the interaction performed i.e. pi — > P2 : 

op\{Mi). Ci ( pi ' p £^5" M ') q. A sequence of labels {/!,}; describes the temporal order in which the various 
described communications take place and it is called trace. 
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Assumption 1 (Well-Formedness). A choreography C is well-formed whenever: 
• All op's are distinct; 

let Y be a set of pairs p : M. Then, Y\~C such that for all p, Y(p) has no boxes and h is defined 



by the following rules: 

(t-interact) r^^r (P2) u W]hc,- ^MC) (t _ Inact) 



rhZ ( pi^p 2 :o P i(M ( ).Ci ThO 

fT BoX| , rhc Mer( Pl ) rhc [m] PiP2 e r(p 2 ) 

r[ Pl ^r( Pl )u{[M] PlP2 }]hc r[p 2 ^r( P2 )u{M}]hc 

w/iere top(Z,pi — > p 2 : opi(M,-). Q) = {pi} and top(O) = 

The rules above are a simple static check for ensuring that a box [M] PlP2 always originate by an 
interaction from p\ and can only be opened by p 2 upon reception of the box (maybe nested in other 
boxes). An environment Y is a function that associates a set of messages to a role. (T-lNTERACT) checks 
r(pi) contains each M; and allows p 2 to use M; in Q. Moreover, the rules checks that p 2 is the sender in 
Q. (T-BOX1) says that if p\ knows M then it can also create [M] PlP , for any p'. Dually, in (T-Box 2 ), if 
p 2 knows [M] PlP2 then it also knows M. Rule (T-lNACT) allows to type with any Y. 

Example 3 (Buyer-Seller Protocol). Hereby, we report a Buyer-Seller financial protocol [4, 3]. A buyer 
Buyer asks a seller Seller for a quote about a product. If the quote is accepted, Buyer will send its credit 
card card together with the accepted quote to Seller who will forward it to a bank Bank. The bank will 
check if payment can be done and, if so, reply with a receipt receipt which will be forwarded to Buyer 
by Seller. In our mini-language we use boxes to make sure that the credit card number can only be read 
by Bank and that Seller does not change the accepted quote: 

1. Buyer — > Seller : Req(prod). Seller — > Buyer : Reply(quote). 

2. ( Buyer ^ Seller : Accept([(quote,card)] B jyerBank)- Sellers Bank: Pay((quote, [(quote, card)] BuyerBank))- 

3. ( Bank — » Seller : Ok([receipt] Ba nkBuyer>- Sellers Buyer : Succ([receipt] Ba nkBuyer) 

4. + 

5. Bank — > Seller : NotOk(reason) . Seller — > Buyer : Fail(reason) ) 

6. + 

7. Buyer — > Seller : Reject()) 

Line 1. denotes the quote request and reply. Lines 2. and 7. are computational branches corresponding to 
acceptance and rejection of the quote respectively. If the quote is accepted, Buyer will send its credit card 
in the box [quote, card] Buyer.Bank meaning that Seller cannot see it. The box is then forwarded to Bank 
together with the quote offered by Seller who checks that everything is fine (line 2.). If the transaction 
can be finalised, a receipt is forwarded to Buyer. Otherwise, a NotOK message will be delivered. Bank 
boxes the receipt so that it cannot be seen or changed by Seller. 



4.1 Abstract Strand Semantics 

The abstract strand semantics (AS semantics) is the minimum function § : C —> 2 s x (M — > 2 s ) (for 
S a set of strands) satisfying the rules in Table 1. The function inputs a choreography and returns a set 
of strands paired with a function that maps strands into a role p'm^P, (all the possible runs for p). These 
strands are templates, and we may use substitutions to "plug in" alternate values for the parameters in 
the choreography. Since these parameters do not include the labels op,-, we define: 
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IQ} = who,) 

(AS-Com) 



fZiPi -» p 2 : op: (M,-). Q} = Ui ( extendi, [(op i ,M)]p 1 p 2 ,pi,p 2 ,whOi) ) 
(AS-Zero) 



= ({+.P} p ,Ap.{+.P}) 



Table 1: Abstract Strand Semantics for Choreography 

A substitution a is a parameter substitution if for every label op ; , ci(op ; ) = op,. The strand space 
of a choreography C is the strand space generated by applying parameter substitutions to §C]}. We say 
that a skeleton A is over -j[C]f if all of its strands belong to this strand space. 

Rule (AS -Zero) gives semantics to the inactive choreography by creating a strand +» p for each 
role p G M. Rule (AS -COM) gives the semantics to the term (interaction) of a choreography. The 
idea is to prefix, for every branch, every strand of pi with +[(opj,M;)] PlP2 and every strand of P2 with 
-[(opi, Mi)] PlP2 where, in general, (op,M) denotes the vector (op, Mi, . . . ,M*). The main part is played 
by the function extend hereby defined as: 

/ S\(who(pi)Uwho(p 2 )) U \ 
extend (5, M,pi,p 2 , who) = J . (s £ who(pi) Aa = +M) V 1 

\ { (s e who(p 2 ) Afl = -M) J / 

The above definition says that we include all those strands which are not in who(pi) and in who(p2). 
Then, we must prefix all those strands in who(pi) with node +M and all those strands in who(p2) with 
— M. For well-formed choreographies, we have the following: 

Proposition 5. Let C be a well-formed choreography and (S, who) its semantics. Then each message 
[M] Pl p 2 always originates in who(pi) and can only be opened in who(p2). 

Example 4 (Semantics of the Buyer-Seller Protocol). Unlike in [3], because of the presence of corrupted 
roles (and participants), we cannot give the semantics of a choreography describing a security protocol 
simply by giving a set of executions. Therefore, the semantics of the buyer-seller protocol is a set 
of strands from which we would like to build the possible executions depending on which roles are 
compromised. Given the choreography in Example 3, we get the following strands: 

a) + [(Req,prod)] B s => - [(Reply, quote)] S B => +[(Accept, [(quote, card)] B Bk)]BS => -[(Succ, [receipt] B i<B)]sB 

b) + [(Req,prod)] B s => - [(Reply, quote)] S B => +[(Accept, [(quote, card)] B Bk)]BS => -[(Fail,reason)] S B 

c) + [(Req,prod)] B s => - [(Reply, quote)] SB => + [Reject] BS 

d) - [(Req,prod)] B s => +[(Reply,quote)] SB => -[(Accept, [(quote, card)] B Bk)]BS => 

=> +[(Pay,quote, [(quote, card)] B Bk)]sBk => -[(Ok, [receipt] B kB)]BkS +[(Succ, [receipt] B kB)]sB 

e) - [(Req,prod)] B s => +[(Reply,quote)] S B => -[(Accept, [(quote, card)] bbOJbs => 

=> +[(Pay, quote, [(quote, card)] B Bk)]sBk => -[(NotOk,reason)] B kS => +[(Fail,reason)] SB 
/) - [(Req,prod)] B s => +[( Reply, quote)] SB => - [Reject] B s 

g) - [(Pay, quote, [(quote, card)] B Bk)]sBk => +[(0k, [receipt] B kB)]BkS 

h) - [(Pay, quote, [(quote, card)] BBk )]sBk => +[(NotOk,reason)] B kS 

where B is the buyer, S is the seller and Bk is the bank. Above, strands a), b) and c) belong to B while 
d), e) and /) belong to S. Strands g) and h) are instead the local behaviour of Bk. 
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4.2 Realized Skeletons for Choreography 

We now apply the theory developed in the previous section to abstract spaces which are in fact the 
semantics of a choreography. 

In the sequel we say that A is over whenever it is obtained from the regular, non compromised 
strands in §C|. The following result states that whenever (Al) is not applicable, we have reached a 
realized skeleton. 

Lemma 1 (Realized Skeletons). Let C be a well-formed choreography and let Abe a skeleton over §C]} 
such that (Al) is not applicable. Then A is realized. 

Proof. By Proposition 1, A' is realized if and only if all its cuts are solved. Let us assume, by contradic- 
tion, that Cut([M] PlP2 ,B, A) is unsolved for some [M] PlP2 and B. 

By Proposition 2, we know that also Cut([M] P[P2 ,B' , A) is unsolved for B' = {b | n' n s.t. [M] PlP2 C 
b C msg(« / ) A rcv(b) R } for some ^A-minimal input node n in Cut([M] PlP2 ,B, A) and p\ R. As a 
consequence, we also have that [M] PlP2 f B msg(ra). 

Now, if we prove the existence of some positive node m A such that Vm' . m' 4/iVm' =^ + m 
implies [M] PlP2 Q B msg(m / ) where [M] PlP2 f B msg(m) and m R then we can apply (Al) to A hence 
having a contradiction. We distinguish two cases: 

• B' = 0. In this case, the unsolved cut is saying that we must explain where the box c has been 
created. As pi is not compromised, we must add a node belonging to pi sending c. The existence 
of such a node is ensured by well-formedness. 

• B' 7^ 0. As B is non-empty, then we must explain how c has come out of some message box [M'] P3P4 
in B. But if that is the case, as P4 is not compromised, a node belonging to P4 must have performed 
such operation. The existence of such a node is ensured by well-formedness. 

Note that in both cases above, we are exploiting the fact that the two well-formedness conditions impose 
that the operations for creation and opening of a box are performed consistently on the same choreogra- 
phy branches i.e. role strands. □ 

The following result states that whenever (A2) is not applicable to A then A is DG. 

Lemma 2. Let C be a well-formed choreography and let Abe a skeleton over §C§ such that ( A2 ) is not 
applicable. Then A is DG. 

Proof. If that is not the case then, by definition of delivery guaranteed skeleton, we would be able to 
apply (A2). This is simply because whenever we add a positive node n to A we always have another 
strand belonging to a different role and containing a negative node m such that msg(m) = msg(n). □ 

We finally have the following two results: 

Theorem 2 (Soundness). Let A be a single-stranded skeleton over §C}} and let A — >* s A' Then, 
A' is a DG shape. 

Proof. By the previous lemmas, we know that A' is realized and DG. We must prove that there exists a 
homomorphism H : A i— ► A' which is a shape. 

As A — >* s A' then, by Proposition 4, we can choose H = o . . . o Ho where Hi : A, A ;+ i for for 
Ao = A and A^ + i = A' and some A,. We shall prove that o . . . oHi : A, i— > A' is a shape for A, for all 
i. We do it by induction on j = k — i. 
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• Base Case, j = 1. We have to prove that : A^ i— > A' is a shape for A*. By Proposition 3, we know 
that At is not realized and/or not DG. Hence, H\ must be the minimum homomorphism mapping 
A* to a DG realized skeleton. In fact, both (Al) and (A2), add the minimum node explaining a 
box or receiving a pending output. 

• Inductive Case. Let us assume that j = i + 1 . By induction hypothesis we know that H k o . . . o 
Hi + \ : Aj_|_i A' is a shape for A,- + i. But then, as augmentations are minimal strictly monotone 
embedding with respect to shapes, we have that also o . . . oHj : A, i— > A' is a shape for A,-. 

□ 

Theorem 3 (Termination). Let Abe a single-stranded skeleton over §C§. Then, we can reduce A only 
a finite number of times. 

Proof. §C§ is finite and the reduction rules are augmentation (increase the number of nodes). As the 
same node cannot be added twice, we must eventually exhaust all nodes. □ 

Example 5 (Shapes of the Buyer-Seller Protocol). We show how to compute some shapes of the Buyer- 
Seller protocol starting from its semantics given in the previous section. We start from the buyer's strand 
a) assuming that seller is compromised. Applying (Al) to its fourth node, we get: 



[(Req,prod)] B s 



[(Reply, quote)] SB 



>- [(Accept, [(quote, card)] bbi<)]bs 



[(Succ,[receipt] Bk B)]sB 



[(Pay, quote, [(quote, card)] B Bk)]sBk 



[(Ok, [receipt] Bk B)]BkS 



Note that, we have actually applied (Al) twice: the second time it was applied to the first node of the 
new strand and its result was only adding the relation ^. The image of the shape for strand b), the case 
when the bank does not accept the transaction, is similar. Let us now consider d) and let us assume that 
buyer is compromised. In this case, for M = [(Pay, quote[(quote, card)] BBk)]sBk, by applying (Al) 
(twice) we get: 



[(Req,prod)] B s 



[(Reply, quote)] SB 



[(Accept, [(quote, card)] BBk)]BS ^ 



M 



i- [(Ok, [receipt] B kB)]BkS 



-< 



-< 



M 



[(Ok, [receipt] B kB)]BkS 



[(Succ, [receipt] B kB)]sB 



14 



Choreographies, Secure Boxes and Compromised Principals 



Example 6. Let us consider a slightly different version of the Buyer-Seller protocol, where the buyer 
does not include the quote together with her credit card. In particular we would have the new following 
strands (the missing ones are unchanged): 

a') +[(Req,prod)] B s => -[(Reply, quote)] SB + [(Accept, [card] BBk )] B s => -[(Succ, [receipt] Bk B)]sB 
b') + [(Req,prod)] B s -[(Reply, quote)] S B + [(Accept, [card] B Bk)]BS -[(Fail,reason)] S B 
d') - [(Req,prod)] B s => +[(Reply,quote)] SB => -[(Accept, [card] B Bk)]BS => 

=> +[(Pay, quote, [card] B Bk)]sBk => -[(Ok, [receipt] BkB )] BkS => +[(Succ, [receipt] BkB )] SB 
e') - [(Req,prod)] BS => +[(Reply,quote)] SB => -[(Accept, [card] BBk )] BS => 

=> +[(Pay,quote, [card] BBk )] SBk => -[(NotOk,reason)] BkS => +[(Fail,reason)] SB 
g') - [(Pay, quote, [card] B Bk)]sBk => +[(0k, [receipt] BkB )] Bk s 
h!) - [(Pay, quote, [card] B B k )]sB k => +[(NotOk,reason)] Bk s 

If the seller is corrupted, starting from g') and applying (A 1) to its first node, we get the realized skeleton: 

[(Req,prod)] BS 



•y [(Reply, quote)] S B 

1- [(Accept, [card] BBk )] BS [(Pay, quote', [card] BBk )] SBk 



[(Ok, [receipt] BkB )] Bk S | 

The realized skeleton above shows a flaw, or at least an undesirable aspect of this version of the 
protocol. The value quote that the client accepted can be different from quote' received by the bank, 
allowing for the seller to cheat on the quote agreed with the buyer. 

5 Conclusions 

In this paper, we have used the strand space framework to study the possible behaviors of choreographies 
executing in the presence of compromised principals. In this framework, the strands of the uncompro- 
mised regular participants can freely interact with each other and with behaviors possible for corrupted 
parties. We clarified these behaviors by presenting a pair of transition rules which generate all of the 
minimal, essentially different executions. 

It is a strength of this approach that it allows us to formulate and characterize a number of interest- 
ing properties. For instance, what about the relationship between shapes (namely minimal executions) 
and other, possibly non-minimal executions? One might expect that non-minimal executions would be 
disjoint unions of copies of shapes. However, this intuition requires a property of choreographies, which 
may be characterized syntactically. In effect, it requires that when the choreography has a choice, then 
the same principals are active across both branches of the choice (except possibly the last principal on 
one branch). This corresponds to an assumption of [6]. We also conjecture that, under these assump- 
tions, shapes are run-once i.e. they are such that there is at most one strand belonging to each role. In 
future work we intend to explore properties of this kind, in particular when the choreography language 
is extended with parallel composition and recursive behaviour. 
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We also intend to study the relation between protocol descriptions at the choreography-and-box level 
and at the concrete cryptographic level. We intend to investigate properties of protocol transformations 
in general [10] in order to develop fine-grained principles governing how to generate cryptographic 
implementations for choreographies requiring security infrastructures. 
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